what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Symantec Web Gateway XSS / CSRF / SQL Injection / Command Injection

Symantec Web Gateway XSS / CSRF / SQL Injection / Command Injection
Posted Jul 26, 2013
Authored by Wolfgang Ettlinger | Site sec-consult.com

Symantec Web Gateway versions 5.1.0.* and below suffer from cross site request forgery, cross site scripting, command injection, and remote SQL injection vulnerabilities.

tags | exploit, remote, web, vulnerability, xss, sql injection, csrf
advisories | CVE-2013-1616, CVE-2013-1617, CVE-2013-4670, CVE-2013-4671, CVE-2013-4672
SHA-256 | f5687779117e75bfab54e5c4e26cfc839c5928b756b4cf1652789d76e8d5aadc

Symantec Web Gateway XSS / CSRF / SQL Injection / Command Injection

Change Mirror Download
SEC Consult Vulnerability Lab Security Advisory < 20130726-0 >
=======================================================================
title: Multiple vulnerabilities - Surveillance via Symantec Web
Gateway
product: Symantec Web Gateway
vulnerable version: <= 5.1.0.*
fixed version: 5.1.1
CVE number: CVE-2013-1616, CVE-2013-1617, CVE-2013-4670,
CVE-2013-4671, CVE-2013-4672
impact: Critical
homepage: https://www.symantec.com/
found: 2012-12-18
by: Wolfgang Ettlinger
SEC Consult Vulnerability Lab
https://www.sec-consult.com
=======================================================================

Vendor/product description:
-----------------------------
"Symantec Web Gateway protects organizations against multiple types of Web-borne
malware and gives organizations the flexibility of deploying it as either a
virtual appliance or on physical hardware. Powered by Insight, Symantec’s
innovative reputation based malware filtering technology, Web Gateway relies on
a global network of greater than 210 million systems to identify new threats
before they cause disruption in organizations."

URL: https://www.symantec.com/web-gateway


Business recommendation:
------------------------
SEC Consult has identified several vulnerabilities within the components of
Symantec Web Gateway in the course of a short crash test. Some components have
been spot-checked, while others have not been tested at all.

Several of the discovered vulnerabilities below can be chained together in
order to run arbitrary commands with the privileges of the "root" user on the
appliance.

An attacker can get unauthorized access to the appliance and plant backdoors or
access configuration files containing credentials for other systems (eg. Active
Directory/LDAP credentials) which can be used in further attacks.
Since all web traffic passes through the appliance, interception of HTTP as
well as the plaintext form of HTTPS traffic (if SSL Deep Inspection feature in
use), including sensitive information like passwords and session cookies is
possible.

If SSL Deep Inspection is enabled, the appliance holds a private key for a
Certificate Authority (CA) certificate that is installed/trusted on all
workstations in the company. If this private key is compromised by an attacker,
arbitrary certificates can be signed. These certificates will then pass
validation on the client machines, enabling in various attacks targeting
clients (further MITM attacks, phishing, evilgrade, ...).

The recommendation of SEC Consult is to switch off the product until a
comprehensive security audit based on a security source code review has been
performed and all identified security deficiencies have been resolved by the
vendor.


Vulnerability overview/description:
-----------------------------------
1) Reflected Cross Site Scripting (XSS) (CVE-2013-4670)
A reflected cross site scripting vulnerability was found. This allows
effective session hijacking attacks of administrator session cookies.


2) Persistent Cross Site Scripting (XSS) (CVE-2013-4670)
Moreover a persistent cross site scripting vulnerability allows an
unauthenticated user to inject script code into the administration interface.
This script code will be executed once an administrator visits the
administration interface.


3) OS Command Injection (CVE-2013-1616)
Multiple OS command injection vulnerabilities were discovered. Authenticated
users can execute arbitrary commands on the underlying operating system with
the privileges of the "apache" operating system user.

This can be used to get persistent access to the affected system (eg. by
planting backdoors), accessing all kinds of locally stored information or
interception of web traffic that passes through the appliance.


4) Security Misconfiguration (CVE-2013-4672)
Unprivileged operating system users (eg. apache) can gain root privileges
due to a misconfiguration of the sudo program.


5) SQL Injection (CVE-2013-1617)
Several SQL injection vulnerabilities were identified that allow an
authenticated administrator to issue manipulated SQL commands.


6) Cross Site Request Forgery (CVE-2013-4671)
The cross site request forgery protection implemented can be bypassed easily.
Using this vulnerability, an attacker can issue requests in the context of
administrative user sessions.


Several of the vulnerabilities above can be chained together by an
unauthenticated attacker in order to run arbitrary commands with the
privileges of the "root" operating system user on the appliance.


Proof of concept:
-----------------
1) Reflected Cross Site Scripting (XSS) (CVE-2013-4670)
The following URL demonstrates a reflected cross site scripting vulnerability:

https://<host>/spywall/feedback_report.php?rpp=0%27%20onfocus=%22alert%28%27xss%27%29%22%20autofocus/%3E


2) Persistent Cross Site Scripting (XSS) (CVE-2013-4670)
The "blocked.php" page which is accessible without authentication allows to
inject script code to the "Blocking Feedback" functionality on the
administration interface. The following URL demonstrates this issue. The
payload of the parameter "u" will be stored permanently:

https://<host>/spywall/blocked.php?id=1&history=-2&u=%27/%3E%3Cscript%3Ealert%28%27xss%27%29;%3C/script%3E


3) OS Command Injection (CVE-2013-1616)
The functionality to change the hostname as well as the "Test Ping"
functionality allow to inject commands enclosed in backticks (`). These commands
are run as the system user "apache".
Affected scripts: /spywall/nameConfig.php
/spywall/networkConfig.php

Detailed proof of concept exploits have beem removed for this vulnerability.


4) Security Misconfiguration (CVE-2013-4672)
The /etc/sudoers file allows the users "apache" and "admin" to run several
critical commands with root privileges. As the user "apache" is able to run
commands like "chmod", "chown" and "insmod" without the need of a password,
an attacker that is able to issue commands as this user (see 3) can effectively
gain root privileges.


5) SQL Injection (CVE-2013-1617)
The following URLs demonstrate the SQL injection flaws found by printing the
username and password hash of all users:

https://<host>/spywall/feedback_report.php?variable[]=1) UNION SELECT 1,2,3,4,username,6,7,8,9,password FROM users -- &operator[]=notequal&operand[]=x
https://<host>/spywall/edit_alert.php?alertid=11%20UNION%20SELECT%201,2,username,password,5,6,7,8,9,10,111,12,13,14,15,16,17,18%20FROM%20users%20--%20


6) Cross Site Request Forgery (CVE-2013-4671)
As an example, the following request configures a LDAP server to authenticate
administrative users:

POST /spywall/ldapConfig.php HTTP/1.1
Host: <host>
Cookie: PHPSESSID=<valid-cookie>
Content-Type: application/x-www-form-urlencoded
Content-Length: 247

posttime=9999999999&saveForm=Save&useldap=1&ldap_host=0.0.0.0&ldap_port=389&auth_method=Simple&search_base=dc%3Dtest%2Cdc%3Dlocal&ldap_user=test&ldap_password=test&dept_type=dept&user_attribute=sAMAccountName&user_attribute_other=&ldap_timeout=168

The sole CSRF protection is the "posttime" parameter that contains a unix
timestamp that has to be greater than the one in the last request. Using the value
of eg. "9999999999" would always succeed.



Attack scenario:
----------------

Using the vulnerabilities mentioned above, the following attack has been
implemented (the exploit code will not be published):

1) A user protected by Symantec Web Gateway visits a website that embeds an
image (possible in most web forums), a URL or an IFrame. The URL of the
resource points to a blocked page (eg. the EICAR test file) and also
includes script code (Persistent XSS).
2) The Symantec Web Gateway blocks the request and redirects the user to the
blocked.php script. If the blocked URL contains the parameter "history=-2"
(which has been added by the attacker) the URL/script (Persistent XSS) is
automatically stored as a "Blocking Feedback" entry in the admin interface
3) When the administrator visits the "Blocking Feedback" page, the injected
script is executed. Using the OS command injection flaw, the script now
automatically downloads and executes a shell script.
4) As the user "apache" has permission to execute "chmod" and "chown" as root,
the shell script can now create a SUID binary and run a reverse shell as root.
5) The attacker can now access the system with highest (root) privileges

Note: This attack only requires a user (protected by the Symantec Web
Gateway) to visit a "malicious" page. This can be achieved by sending phishing
mails to employees, or embedding images, URLs or IFrames in websites employees
would likely visit.

If the attacker has already access to the target network, this is of course not
necessary - the persistent XSS vulnerability can be exploited directly.

Note: No prior knowledge about hostnames or internal IP addresses in the target
network is needed!

A detailed proof of concept exploit has been created but will not be
published.


Vulnerable / tested versions:
-----------------------------
The vulnerabilities have been verified to exist in the Symantec Web Gateway
version 5.1.0.39, which was the most recent version at the time of discovery.

Symantec confirmed that SWG version 5.1.0 (& all sub-releases) and prior
releases are affected.


Vendor contact timeline:
------------------------
2013-02-22: Sending advisory and proof of concept exploit via encrypted
channel.
2013-02-22: Vendor acknowledges receipt of advisory.
2013-03-05: Requesting status update.
2013-03-05: Vendor confirms vulnerabilities, is working on solutions.
2013-03-22: Requesting status update.
2013-03-22: Vendor is still working on solutions.
2013-04-19: Requesting status update and release schedule.
2013-04-19: Vendor is in the "final phases" of releasing an update.
2013-06-05: Sending reminder regarding deadlindes defined in disclosure policy.
2013-06-05: Vendor will release an update in "Mid-July".
2013-07-16: Vendor postpones update to timeframe beween July 22 and 25.
2013-07-25: Vendor releases advisory and product update (version 5.1.1).
2013-07-26: SEC Consult releases coordinated security advisory.


Solution:
---------
Update to Symantec Web Gateway version 5.1.1.

More information can be found at:
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20130725_00



Workaround:
-----------
No workaround available.



Advisory URL:
--------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab

SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius

Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone: +43 1 8903043 0
Fax: +43 1 8903043 15

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF Wolfgang Ettlinger / @2013
Login or Register to add favorites

File Archive:

October 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    39 Files
  • 2
    Oct 2nd
    23 Files
  • 3
    Oct 3rd
    0 Files
  • 4
    Oct 4th
    0 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close